The link to the Merchandise page is back! Â For now we’d like to sell our stock of t-shirts from Shmoocon. Â After those are all gone we are going to work on getting some other kinds of schwag, stuff that you guys will love!

If you’d like to attend Thotcon but don’t have a ticket, we have one to give away! Â Keep in mind that Thotcon is on April 23rd in Chicago.

Starting now and running until 6PM Eastern on Friday, April 16th anyone who leaves us feedback via iTunes, comments on a blog post will be entered into a drawing. Â The names will be put onto a spreadsheet in no particular order, and then sorted in reverse. Â Each name will then have a number in front of it, and we will use random.org in order to randomly select the winner.

You must use the iTunes client to leave feedback in iTunes. Â If you leave a comment on a blog posting it must not be spam, and it must make some sort of sense, submissions that just go “Hi” or “asdfjkl;” will be disregarded.

In both cases the researchers were able to exploit the insufficient validation of parameters which are passed to the javaws command when used to deploy an application via a web page. The end result is that an attacker would be able to launch a .jar file of their choice, almost silently on the user’s machine.

The exploits appears very simple, and Tavis did contact Oracle regarding the issue, but was told that the vulnerability is not severe enough to justify releasing and out-of-band patch for the issue.

Mitigation for the vulnerability can mean setting ActiveX killbits for Internet Explorer, or using file system permissions to block access to the Java Deployment Toolkit (npdeploytk.dll) from running. More information on mitigation is available in the links below.

Although Linux contains vulnerable code, I was unable to exploit it in the same manner. It likely can be exploited by using the proper sequence of command-line arguments, but the sudden release didn’t allow me to research into this issue.I was focused on Windows at the moment of the disclosure.

SecuraBit is proud to announce that we have secured a Gold level sponsorship agreement with Sunbelt Software effective immediately.Â By joining forces with Sunbelt, SecuraBit will continue to build upon its listener base and promote products which we’ve personally used and believe the security community will also benefit from.Â Â If you recall, Brian Jack from SunbeltLabs joined us on EP51 to talk about CWSandbox.Â If you haven’t had a chance to listen, we highly recommend you take time out to listen to the functionality of CWSandbox and how it could potentially help your organization automate malware analysis when lack of personnel is a major issue.

SunbeltÂ Software was founded in 1994 and is a leading provider of Windows security software including enterprise antivirus, antispyware, email security, and malware analysis tools. Leading products include the VIPREÂ® and CounterSpyÂ® product lines,Â Sunbelt Exchange Archiverâ„¢, CWSandboxâ„¢, and ThreatTrackâ„¢.